
Creating an Azure policy definition is a straightforward process. You can use the Azure portal or Azure CLI to create a policy definition.
To create a policy definition, you need to specify a policy rule, which defines the policy's logic. A policy rule is a JSON object that contains a policy effect, such as "deny" or "audit".
Policy definitions can be used to enforce compliance with organizational standards and regulatory requirements. By defining a policy, you can ensure that resources in your Azure subscription meet specific criteria.
Azure policy definitions can be managed through the Azure portal, Azure CLI, or Azure PowerShell.
For more insights, see: Azure Powershell vs Cli
Creating Policies
Creating Azure policies is a straightforward process that can be done using the Azure portal. You can create your own policy definitions or use the built-in ones.
To create a policy definition, you need to specify the logic that resources must satisfy. This can be as simple as defining the locations where resources can be deployed in your organization.
There are four basic steps to create Azure policies: create the policy definition, create an initiative definition, specify the scope of the initiative definition, and determine compliance.
Here are the four steps in more detail:
- Create the policy definition: This is the logic that resources must satisfy.
- Create an initiative definition: This is a collection of multiple policy definitions that helps you keep track of compliance and gives you a wider scope to manage policies.
- Scope of the initiative definition: This is where you control how the initiative definitions are enforced to your resources in your organization.
- Determine Compliance: This is where you check the compliance of resources in your organization, and you can exclude individual resources, resource groups, or subscriptions from the compliance of the initiative definition.
By following these steps, you can create Azure policies that enforce rules and compliance on your resources in real-time.
Policy Definition
A policy definition in Azure Policy is the foundation of your governance strategy. It's essentially a logic that resources must satisfy to perform certain actions in your organization.
To create a policy definition, you can either use built-in policies or create your own custom definitions. Built-in policies are available by default and include examples such as Allowed Storage Account SKUs (Deny), Allowed Resource Type (Deny), and Allowed Locations (Deny).
These built-in policies can be used as is or modified to suit your organization's needs. You can also create custom policy definitions to meet specific requirements.
A unique perspective: Is Azure a Word
Here are some key points to consider when creating a policy definition:
- Policy definitions have conditions that must be met, and a defined effect that takes place if the conditions are met.
- Policy parameters can be defined to make policy definitions more generic and reusable.
- Policy parameters can be used to pass in different values when assigning a policy definition.
By following these guidelines, you can create effective policy definitions that help enforce rules and compliance in your organization.
Display Name & Description
When creating a policy definition, it's essential to provide a clear and concise display name and description. The display name should be a maximum of 128 characters, while the description can be up to 512 characters.
A well-crafted display name and description will help you and others quickly understand the purpose and scope of your policy definition. This is especially important when working with multiple policy definitions, as it makes it easier to identify and manage them.
You can use the display name and description to provide context for when the definition is used. For example, if you have a policy definition that restricts the use of certain resource types, your display name and description should clearly indicate this.
Here are some key points to keep in mind when creating your display name and description:
- Display name: up to 128 characters
- Description: up to 512 characters
- Use clear and concise language to describe the purpose and scope of your policy definition
- Provide context for when the definition is used
Type
When creating a policy definition, it's essential to understand the different types of policies that exist.
There are three values returned by the SDK and visible in the portal: Builtin, Custom, and Static. Builtin policies are provided and maintained by Microsoft, Custom policies are created by customers, and Static policies are Regulatory Compliance policy definitions with Microsoft Ownership.
Policy types are determined by the policyType property, which can't be set by users.
Here's a breakdown of the three policy types:
Understanding the policy type is crucial when creating and assigning policies, as it affects how they're managed and enforced.
Mode
The mode of a policy definition determines which resource types will be evaluated. This is important to consider, especially when enforcing tags or locations.
The supported modes are all and indexed. All modes evaluate resource groups and all resource types, while indexed mode only evaluates resource types that support tags and location.
If you're creating policies through the portal, the mode is set to all by default. However, if you're using PowerShell or Azure CLI, you can specify the mode parameter manually.
In general, it's recommended to set mode to all in most cases, as it ensures that all resource types are evaluated. This is especially true when enforcing location or tags on a resource group or subscription, which requires setting mode to all.
Here are the supported modes:
It's worth noting that using indexed mode can improve the performance of your policy definition, but it's not always necessary.
Definition
A policy definition is the foundation of Azure Policy, and it's essential to understand its structure and components. Every policy definition has conditions that determine when it's enforced and a defined effect that takes place if the conditions are met.
Azure Policy offers several built-in policies that are available by default, including Allowed Storage Account SKUs (Deny), Allowed Resource Type (Deny), and Allowed Locations (Deny). These policies can be used as-is or modified to suit your organization's needs.
Policy parameters help simplify policy management by reducing the number of policy definitions needed. You can define parameters when creating a policy definition to make it more generic, and then reuse that policy definition for different scenarios by passing in different values when assigning the policy definition.
On a similar theme: Where Are Policies in Azure
For example, you can define a parameter for a policy titled location and give it different values such as EastUS or WestUS when assigning a policy.
Here are some key components of a policy definition:
- Conditions: Determine when the policy is enforced
- Effect: Takes place if the conditions are met
- Parameters: Allow for generic policy definitions that can be reused for different scenarios
By understanding the structure and components of a policy definition, you can create effective policies that meet your organization's needs and ensure compliance with security requirements.
Operators
Operators are a crucial part of Azure Policy Definitions, allowing you to specify conditions and effects for your policies.
There are three main logic operators available: allOf, anyOf, and not. allOf requires all conditions to be true, while anyOf requires one or more conditions to be true. not Inverts the results of the condition.
These operators can be used to create complex policy rules, allowing you to specify multiple conditions and effects for your policies.
Here's a summary of the logic operators:
By using these operators, you can create policy definitions that are tailored to your specific needs and requirements.
RBAC
RBAC plays a crucial role in Azure Policy. Azure RBAC focuses on managing user actions at different scopes, making it the correct tool to use when control of an action is required based on user information.
The combination of Azure RBAC and Azure Policy provides full scope control in Azure. This means that even if an individual has access to perform an action, if the result is a non-compliant resource, Azure Policy still blocks the create or update.
Azure Policy operations can have a significant effect on your Azure environment. Only the minimum set of permissions necessary to perform a task should be assigned and these permissions shouldn't be granted to users who don't need them.
The Resource Policy Contributor role includes most Azure Policy operations. Owner has full rights, while Contributor may trigger resource remediation, but can't create or update definitions and assignments.
Here are some built-in roles that grant permission to Azure Policy resources:
- Resource Policy Contributor
- Owner
- Contributor
- Reader
- User Access Administrator
All Policy objects, including definitions, initiatives, and assignments, will be readable to all roles over its scope. For example, a Policy assignment scoped to an Azure subscription will be readable by all role holders at the subscription scope and below.
Location
To define a policy, you need to specify a location. This location determines the scope to which the policy can be assigned.
The definition location must be a management group or a subscription. This is where you'll determine the scope of your policy.
If you choose a subscription as the definition location, only resources within that subscription can be assigned the policy definition. This means you have a clear boundary for your policy.
Here are the key differences between a subscription and a management group as definition locations:
- Subscription: Only resources within the subscription can be assigned the policy definition.
- Management group: Only resources within child management groups and child subscriptions can be assigned the policy definition.
A management group is a better choice if you plan to apply the policy definition to several subscriptions. This is because it contains each subscription, giving you a broader scope for your policy.
Policy Evaluation
Azure Policy allows you to control the response to an evaluation, which is crucial for handling non-compliant resources. This is achieved through the application of effects, such as denying the resource change, logging the change to the resource, or altering the resource before the change.
Azure Policy evaluates requests to create or update a resource in a specific order. The order is as follows: disabled is checked first, followed by append and modify, deny, audit, manual, auditIfNotExists, and finally denyAction.
Here's a breakdown of the evaluation order:
- disabled: checked first to determine whether the policy rule should be evaluated.
- append and modify: evaluated next, as they can alter the request.
- deny: evaluated before audit to prevent double logging of undesired resources.
- audit: evaluated after deny.
- manual: evaluated after audit.
- auditIfNotExists: evaluated after a Resource Provider returns a success code.
- denyAction: evaluated last.
Control Evaluation Response
Control Evaluation Response is a crucial aspect of policy evaluation. Organizations have different business rules for handling non-compliant resources, and Azure Policy makes it possible to respond to these situations.
Azure Policy allows you to deny the resource change if it's not compliant. You can also log the change to the resource, which can be helpful for auditing and tracking purposes.
Some organizations want to alter the resource before the change, while others prefer to alter it after the change. Either way, Azure Policy makes it possible through the application of effects.
You can also use Azure Policy to deploy related compliant resources, which can help ensure that your resources are always up-to-date and compliant.
Here are some examples of how Azure Policy can respond to non-compliant resources:
- Deny the resource change
- Log the change to the resource
- Alter the resource before the change
- Alter the resource after the change
- Deploy related compliant resources
- Block actions on resources
Order of Evaluation
Azure Policy evaluates requests to create or update a resource by first creating a list of all assignments that apply to the resource. It then evaluates the resource against each definition.
Disabled is checked first to determine whether the policy rule should be evaluated. This prevents unnecessary processing by a Resource Provider when a resource doesn't meet the designed governance controls of Azure Policy.
The order of evaluation for Resource Manager mode is as follows:
- Disabled is checked first.
- Append and modify are then evaluated.
- Deny is evaluated next, preventing double logging of an undesired resource.
- Audit is evaluated after deny.
- Manual is evaluated.
- AuditIfNotExists is evaluated.
- DenyAction is evaluated last.
This order makes sense because it prevents unnecessary processing and ensures that the most critical effects are evaluated first. For example, if a resource doesn't meet the governance controls, it's best to deny the request immediately rather than auditing it first.
Policy Management
To manage policies effectively, start with an audit instead of an enforcement effect to track the impact of your policy definition on resources in your environment. This approach helps prevent hindering automation tasks already in place.
Consider organizational hierarchies when creating definitions and assignments. It's recommended to create definitions at higher levels, such as the management group or subscription level, and then create assignments at the next child level.
You can create Azure policies using Azure CLI or Azure portal. There are four basic steps to create policies: create a policy definition, create an initiative definition, scope the initiative definition, and determine compliance.
Broaden your view: Azure Devops Branch Policies
Remediate Non-Compliant Resources
Azure Policy allows you to remediate non-compliant resources without altering the resource itself. This is a powerful feature that helps maintain compliance and governance across your organization.
You can use Azure Policy to remediate resources that are not compliant with your policies, making it easier to maintain a consistent and secure environment.
Azure Policy supports remediation of existing non-compliant resources, giving you flexibility and control over your resources.
Here's a summary of the remediation capabilities of Azure Policy:
- Remediate non-compliant resources without altering the resource itself.
- Supports remediation of existing non-compliant resources.
- Helps maintain compliance and governance across your organization.
By using Azure Policy to remediate non-compliant resources, you can ensure that your environment remains secure, compliant, and consistent.
Manage Policies
Managing policies is a crucial step in ensuring your Azure environment is secure and compliant. It's essential to start with an audit or auditIfNotExist effect instead of an enforcement (deny, modify, deployIfNotExist) effect to track the impact of your policy definition on resources.
Consider organizational hierarchies when creating definitions and assignments. Creating definitions at higher levels, such as the management group or subscription level, and then creating assignments at the next child level is a recommended approach.
Creating and assigning initiative definitions, even if starting with a single policy definition, is a good practice. This enables you to add policy definitions to the initiative later without increasing the number of assignments to manage.
Managing Azure Policy resources as code with manual reviews on changes to policy definitions, initiatives, and assignments is recommended. This approach helps track changes and ensures compliance.
Here are some key considerations for managing policies:
- Start with an audit or auditIfNotExist effect.
- Consider organizational hierarchies.
- Create initiative definitions.
- Manage Azure Policy resources as code.
By following these best practices, you can effectively manage your policies and ensure your Azure environment is secure and compliant.
Policy Configuration
Policy Configuration is a crucial step in defining and managing Azure Policy. Start with an audit or auditIfNotExist effect instead of an enforcement (deny, modify, deployIfNotExist) effect to track the impact of your policy definition on resources in your environment.
This approach helps prevent conflicts with existing automation tasks, such as scripts for autoscaling applications. Consider organizational hierarchies when creating definitions and assignments, and create definitions at higher levels like the management group or subscription level.
Create assignments at the next child level, and if you create a definition at a management group, the assignment can be scoped down to a subscription or resource group within that management group. This helps maintain a clear and organized structure.
To simplify management, create and assign initiative definitions even if you're starting with a single policy definition. This allows you to add policy definitions to the initiative later without increasing the number of assignments to manage.
Here are some best practices for managing Azure Policy resources as code:
- Manage Azure Policy resources as code with manual reviews on changes to policy definitions, initiatives, and assignments.
- See Design Azure Policy as Code Workflows for suggested patterns and tooling.
Policy Overview
Azure Policy is a powerful tool for evaluating resources and actions in Azure. It compares the properties of resources to business rules, which are described in JSON format as policy definitions.
Policy definitions can be grouped together to form a policy initiative, also known as a policySet. This simplifies management by allowing multiple rules to be applied together.
The policy definition or initiative is assigned to a scope of resources, which can be a management group, subscription, resource group, or individual resource. This assignment applies to all resources within the Resource Manager scope.
On a similar theme: Gpo Azure Ad
Overview
Azure Policy is a tool that evaluates resources and actions in Azure by comparing their properties to business rules, known as policy definitions, which are described in JSON format.
These policy definitions can be grouped together to form a policy initiative, simplifying management and making it easier to apply business rules to multiple resources at once.
Assignments of policy definitions or initiatives can be applied to any scope of resources that Azure supports, such as management groups, subscriptions, resource groups, or individual resources.
Explore further: Azure Api Management Policy
The assignment applies to all resources within the Resource Manager scope of that assignment, and subscopes can be excluded if necessary.
Azure Policy uses a JSON format to form the logic that determines whether a resource is compliant or not, including metadata and the policy rule.
The policy rule can use functions, parameters, logical operators, conditions, and property aliases to match exactly the scenario you want.
This allows you to create complex scenarios, like limiting users to only using consumption-based logic apps, by understanding the options that can be assessed by an Azure Policy.
Advantages of Policies
Policies are a powerful tool in Azure, and understanding their advantages can help you get the most out of them.
Enforcing rules and compliance is one of the key benefits of Azure policies. This allows you to ensure that your resources are always in line with your organization's standards.
With Azure policies, you can apply policies at scale, covering multiple subscriptions and resources under your management group. This umbrella approach makes it easier to manage and enforce policies across your entire organization.

Azure policies can also be used for real-time remediation, helping you fix non-compliant resources on the fly. This can save you time and effort in the long run.
Policies can be used to exercise governance tasks, such as standardizing cloud resource configurations and enforcing compliance, cost control, security, and design consistency across your organization. This helps maintain a cohesive and secure environment.
Here are some of the key advantages of Azure policies:
- Enforce rules and compliance in real-time
- Apply policies at scale, covering multiple subscriptions and resources
- Remediate non-compliant resources in real-time
- Exercise governance tasks, such as standardization and compliance enforcement
Policy Deployment
When deploying Azure Policy definitions, it's essential to start with an audit or auditIfNotExist effect instead of an enforcement (deny, modify, deployIfNotExist) effect to track the impact of your policy definition on the resources in your environment.
This approach allows you to monitor the effect of your policy without hindering existing automation tasks. For example, if you have scripts already in place to autoscale your applications, setting an enforcement effect may interfere with these scripts.
Consider organizational hierarchies when creating definitions and assignments. Creating definitions at higher levels such as the management group or subscription level makes it easier to scope down assignments to specific resource groups.
Creating initiative definitions even if you're starting with a single policy definition is also a good idea. This enables you to add policy definitions to the initiative later without increasing the number of assignments to manage.
To manage Azure Policy resources effectively, consider managing them as code with manual reviews on changes to policy definitions, initiatives, and assignments. This approach helps you track changes and maintain a consistent policy framework.
Frequently Asked Questions
What is the difference between Azure policy definition and initiative?
Azure policy definition refers to the individual rules and effects applied to resources, while an initiative is a collection of related policies that work together to achieve a specific goal. Think of policies as individual building blocks, and initiatives as the blueprints that bring them together to accomplish a common objective.
Featured Images: pexels.com


